REVIEW – LAST LECTURE
REVIEW - SOCIAL ENGINEERING
The most common type of attack
Basically: lying to someone to gain information on how to
penetrate the network or systems
Preys upon basic tendency in a company to trust other
company personnel and believe what they are told over a
phone or e-mail
No detailed technical skills required - but must be creditable,
knowledgeable of the organization and of methods and
procedures to gain access
Easiest place to attack: users and support desk
REVIEW - FOOTPRINTING
Before a hacker attempts to gain access to a
system, time must be spent gathering information
about the target.
This process is known as footprinting
it is a critical step in subverting the security of a target
Footprinting is the hacking equivalent to casing a
potential robbery location.
Systematic footprinting allows the hacker to create a
complete profile of the target system including information
about the domain, network blocks, IP addresses exposed
on the Internet, and system architecture.
Once the profile is known, a hacker will be able to focus on
specific machines and ports to gain access to the
Traci Southerland has been sentenced to 13 years
in prison for stealing personal information from the
Hamilton County (OH) Clerk of Courts' website and
using it to commit identity fraud.
Southerland and seven others used the stolen
information to commit credit card and check fraud,
netting them US$500,000.
The county clerk's website now blocks access to
documents that hold personally identifiable
Six people have been indicted on fraud charges for their involvement in a
phishing scam that tried to gather credit card and bank account numbers
from AOL users.
The individuals allegedly gathered thousands of AOL email addresses and sent
maliciously crafted ecards that downloaded software that prevented the users
from logging on to AOL without providing credit card or bank account
The cyber thieves allegedly used the stolen financial account information to buy
computers, gift cards and gaming consoles.
Three of the men have already pleaded guilty and face between two and nine-
and-a-half years in prison when they are sentenced in December. The other
three people have not yet been arraigned.
A contract worker at the Stevens Hospital
emergency room in Edmonds, Washington stole
patients' credit card numbers and gave the
information to her brother who used it to buy
thousands of dollars worth of goods over the
Yvon Hennings pleaded guilty to conspiracy to commit
access device fraud and wire fraud. She will be
sentenced in November and her brother's trial is slated
to begin in January 2007.
The data breach affected patients who visited the
emergency room between December 2003 and January
The first step in scanning is to determine which IP addresses
in the network block are machines that are live hosts.
This process can be done using the Internet Control Message
ICMP was designed as a simple protocol to report network error
conditions and supply basic network information.
Unfortunately, ICMP can be used by hackers for network
ICMP is a particularly good protocol for identifying active IP
Unlike the Transmission Control Protocol (TCP) and User Datagram
Protocol (UDP), ICMP does not connect to a particular service on a
given host, but rather attempts to contact the host operating system.
Knowing the IP address of a host is enough to determine if the host is
simply send it an ICMP echo request, a ping, and if it responds, you
know the machine is alive.
using ICMP to determine live hosts on a network is often termed ping
The whois on plu found the network IP address range
from 188.8.131.52 to 184.108.40.206
How many of those addresses are actually used?
Find out by sending a ping to each one
... This could take a lot of time
Example of a successful ping:
Example of an unsuccessful ping:
The ping sweep can be automated using
The command is:
nmap -sP 220.127.116.11/29
This is a particularly noisy scan that can be
detected by an IDS that looks for a
threshold amount of ICMP echo requests
originating from the same location over a
given amount of time.
Most IDS.s are capable of detecting this type of
scan, so it is not often used in practice
Using NMapWin (available from www.insecure.org) 3
systems at PLU were up and running:
WORK AROUND 1
If a hacker can limit the amount of echo requests issued, it
may be possible to not trigger an IDS alarm because the
threshold amount of ICMP requests will not be exceeded.
By issuing ICMP echo requests to known broadcast
addresses, the number of pings can be kept to a
For example, addresses with 0 and 255 for the last
byte are reserved and are typically used as broadcast
addresses to send a message to all addresses in the
Therefore, a clever hacker will send ICMP echo
requests to the 0 and 255 addresses for a given block
and potentially get back 254 echo replies.
This is much more efficient and stealthy than a scan
that sends individual requests to all 254 potentially
Another way to avoid easy detection is to
use a non-echo ICMP request
Such as a timestamp request
Or a address mask request
A useful tool is icmpush which will set up
and set an icmp request
For example: RESULT:
The site is
icmpush -tstamp 192.168.5.5 on-line
kenny.sys-security.com -> 13:48:07
From the whois and the ping sweep we know that
plu has at least 3 hosts available:
Now we want to find out what services are
available in the form of which ports are open
Remember: ports represent common services on a
system such as ftp on port 21 and the web on port 80
PORT SCAN METHODS
Port scanning can be subdivided in three groups: horizontal,
vertical, and block scans
A horizontal scan is a scan that queries a specific port on
This is used when an exploit is known for a particular service and
the hacker wants to know what machines are running this vulnerable
service. An example would be scanning for the notoriously
vulnerable ftp on port 21.
a vertical scan will be used in which all the ports on a given host
For example, if a hacker wants to alter the content of the CS web
site, all ports on the web server 18.104.22.168 would be scanned.
a block scan is a combination of a vertical and horizontal
A block scan can determine the same information as an ICMP ping
sweep (i.e., what machines are active in the network block), with
the added benefit of determining the services running on the
PORT SCAN TYPES
No matter which method is selected there
are several ways to go about scanning
ports on a system
Four common methods are:
TCP SYN scan
FTP bounce scan
TCP/SYN SCAN 1
To establish a TCP connection between a
source and a system port, two parties
execute a 3-way handshake
1 SYN Packet
Of course, the ACK is only
returned if the port is open
TCP/SYN SCAN 2
A connectionless SYN scan can be performed using nmap –sS.
This scan sends a message with a SYN in the TCP header but does not
reply to the host’s return message.
Because the client never replies to the host’s return message, a
full connection is never established and the half connection will not be
If the host port is open, a message with the SYN and ACK flags
will be returned.
If the host port is closed, a message with the RESET flag will be
If a host is contacted that is not alive, a border router will likely
respond with a host unreachable message.
If the network is configured to not respond with ICMP host
unreachable messages, there will be no reply when attempting to
scan an inactive host.
If the port is firewalled, there will also be no response.
Thus, the hacker must attempt to differentiate between an inactive
host and a firewalled port based on other data obtained in the
TCP/SYN SCAN 3
Results of a SYN scan of shemp:
Filtering and other security systems such as firewalls
will usually pick up on SYN packets sent to sensitive
Programs are also available to log half-open SYN scan
However, probe packets with strange TCP flags set can
sometimes pass through filters undetected
A stealth scan uses an unusual flag combination
which only closed ports respond to with a reset, these
A FIN probe with the FIN TCP flag set
A XMAS probe with all the flags set
A NULL probe with no flags set
An ACK probe
XMAS SCAN EXAMPLE
Result of an XMAS scan of shemp:
Notice how many
ports are open
FTP BOUNCE SCAN 1
An known problem in older ftp servers involves:
An attacker connects to an FTP server, which
has a world writable directory, and
establishes a control communication
The attacker can then ask the FTP server to
initiate an active server data transfer process
and send a file anywhere on the Internet,
presumably to a user data transfer process.
This can be exploited to scan behind a firewall
connect to an FTP server behind a firewall
then try to scan ports that the firewall blocks.
If a directory is writable for the account you are
using on the FTP server, you can also send data to
the ports you find open
FTP BOUNCE SCAN 2
The process looks like:
Send a PORT command
to the ftp server telling it
to connect a specific port
of the target machine
ftp Server The port is
Follow that with a LIST There will be one of two responses: open
command 150 Opening ASCII mode data connection for file list The port is
226 Transfer complete
425 Can’t build data connection: Connection refused
UDP port scanning is extremely slow.
Nmap will try to send a 0-byte datagram
and mark the port as open unless a ICMP
Destination Unreachable packet is
Does not require root privileges to scan.